Electronic Health Reporter

Guest post by David Thompson, senior director, product management, LightCyber.

Healthcare organizations are stuck between being an ever increasing target of a data breach and generally having less security resources than a comparable enterprise. It’s a classic situation of needing more with less, with all of the urgency of a full-scale crisis.

Now it’s not uncommon to see the same organization suffer its second or third data breach, and patience (patients too) are wearing thin. At the same time, we know that many organizations have intruders that are lingering and have stayed hidden for a year or more. It’s possible the cybercriminals are using an undiscovered foothold in one organization to get to another within the same health or provider network.

Almost without exception, healthcare organizations of all sizes seem helpless to be able to stop a data breach. Stopping a breach means different things to different people, and that is part of the problem. A good portion of the industry is still focused on completely keeping an intruder from getting into their network. This is a fool’s errand and simply not achievable. Motivated attackers will find a way into any given network. Some professional vulnerability contractors will guarantee that they can break in to your network within two days. There are far too many ways for an attacker to get in, particularly through an employee account or computer.

So, you can’t keep a network intruder out, but you can try to detect their presence as quickly as possible. Almost all healthcare organizations currently lack this capability, but some newer solutions and procedures are showing great promise in making the speedy detection of a network attacker a reality. The good news is that these approaches might only require an hour or two of personnel time each day—and sometimes quite a bit less than that—so it is well within the means of a small healthcare IT group that wears multiple hats and is always pulled thin.

Traditionally, security practitioners have focused their efforts on the never-ending task of finding and eradicating malware. While certainly important, this pursuit has resulted in a singular approach to security focused on identifying and stopping known threats based on a set of pre-determined attributes, such as a signature, URL or a set of actions of software executed in a protected sandbox environment. This type of “known bad” security is mostly worthless in detecting an external attacker or insider that is actively at work on a network.

An external targeted or insider attack is human-run, rather than propelled by some kind of autonomous malicious software. Finding an attacker requires looking for the operational activities they must use in exploring the network, establishing a greater sphere of control and gaining access to valuable assets. These steps are generally invisible to an organization unless they have the visibility and intelligence to see these apart from other activities.

The surest way to detect the activities of an active attacker is to use one of the newest generation of tools to establish ongoing profiles of all users and devices to obtain a baseline of what is normal or good for that particular network. This view comes primarily from the network rather than an individual computer or device, as a “big picture” perspective is needed to see activity between machines, as an attacker makes attempts to gain better understanding of the network, improve their position and gain greater control. The limited vantage from a single endpoint is generally not sufficient to see and understand these activities.

Once there is comprehensive knowledge of known good, it’s possible to find anomalies, and, with advanced machine learning, sort out those with high likelihood be being part of an orchestrated attack. In this way, it’s possible to find an attacker early before they have a chance to steal or cause damage.

This known good model of security is advantageous for healthcare organizations because of the fidelity involved with alerting. Rather than creating a security alert for every trace of malware or anomaly, it is possible to warn only of the strong indicators of an active attack. Instead of having hundreds or thousands of daily alerts to wade through, a security operator should just expect a small handful, around one per thousand endpoints in the organization. A small group of generalists or even a single IT or security person can accommodate such a daily alert volume, particularly if the alerts are highly accurate and pre-researched.

Transitioning from a prevention-only mentality to one that is realistic and expects intruders and is prepared to find them early will change the balance of the data breach crisis for healthcare organizations, putting them on the winning side.